TimChapman
asked on
I found a file that is some sort of virus that I can't remove
I am dealing with a dll file called ndhygv.dll on a windows xp home edition PC. I can't remove the dll.
I found it in the registry, delete the key and it puts it back by itself.
I delete it from startup using msconfig and close and don't reboot to get out of msconfig. Then I run msconfig again and look at startup. It is there again. The virus? is putting it back in for me. In safe mode, I can't delete the file either.
Any ideas. <removed by modulo>
I would greatly appreciate any assistance.
Tim Chapman
I found it in the registry, delete the key and it puts it back by itself.
I delete it from startup using msconfig and close and don't reboot to get out of msconfig. Then I run msconfig again and look at startup. It is there again. The virus? is putting it back in for me. In safe mode, I can't delete the file either.
Any ideas. <removed by modulo>
I would greatly appreciate any assistance.
Tim Chapman
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did go to the startup tab and disable each application other than the norton applications. I also tried unchecking the button that says Load Startup Items. I would then exit msconfig without rebooting. I would then immediately open it again. The Load Startup Items button would be checked and the item would be checked in the Startup list. The virus? is doing this itself. Same when I would remove it from the registry. It would put itself back. This is a very difficult problem to solve because Safe mode did not help either. Same results there. It loads in safe mode.
TimChapman,
> I would then exit msconfig without rebooting.
As I had previously said , after doing that in msconfig reboot the machine and see what happens.
have you used the spyware removal tools and checked for virus ?
Post back doing all these
> I would then exit msconfig without rebooting.
As I had previously said , after doing that in msconfig reboot the machine and see what happens.
have you used the spyware removal tools and checked for virus ?
Post back doing all these
TimChapman,
Also try this
First make a backup of your registry
then go to registry and search for that name that you see in that folder in desktop
if you are not familiar with it , delete it
For searching first press ctrl + F. after it reports the first search , press F3 and search again and keep doing until you find all references to it
Post back
Also try this
First make a backup of your registry
then go to registry and search for that name that you see in that folder in desktop
if you are not familiar with it , delete it
For searching first press ctrl + F. after it reports the first search , press F3 and search again and keep doing until you find all references to it
Post back
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
ASKER
After disabling all applications in MSconfig and rebooting, I ran msconfig again. The entry was still there and the startup items were enabled. Having disabled them before shutdown, it seems that the virus? is reenabling the startup items.
> in that folder in desktop
What folder are you referring to?
> in that folder in desktop
What folder are you referring to?
oh i meant this ndhygv.dll
search for this name in registry and remove it if you are not sure what is it ..
i donot see any reference to this dll in google so you can remove it
msconfig checks these in registry
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
go to registry , check these and remove anything that you are not sure of
search for this name in registry and remove it if you are not sure what is it ..
i donot see any reference to this dll in google so you can remove it
msconfig checks these in registry
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
go to registry , check these and remove anything that you are not sure of
ASKER
I removed all entries with ndhygv.dll. Before I could even close regedit, they were back again. This is very insidious. The run and runonce keys, I checked and deleted all I did not recognize, but it did no good as these entries would return by themselves. There is not point in deleting more entries as the changes won't take effect until I reboot and the dll is run again. The needs tougher measures and I don't know where to begin.
Also try doing these
a) remove temporary internet files , cookies and history going to Internet explorer ---> tools ---> Internet options
b) goto start --> run --> %temp%
remove all the files there . DONOT REMOVE THE TEMP FOLDER.just remove the files inside
c) Also do disk cleanup
a) remove temporary internet files , cookies and history going to Internet explorer ---> tools ---> Internet options
b) goto start --> run --> %temp%
remove all the files there . DONOT REMOVE THE TEMP FOLDER.just remove the files inside
c) Also do disk cleanup
TimChapman,
have you tried all the spyware tools and virus yet ? try them and post back..
check your control panel --> add/remove programs of any unknown program. If you have uninstall them
Also use these registry cleaners
jv16 http://download.com.com/3000-2094-10196668.html?tag=lst-0-1 (FREEWARE)
RegCleaner http://www.vtoy.fi/jv16/shtml/regcleaner.shtml
AATools RegClean http://www.glocksoft.com/aatools_registry_cleaner.htm
Registry Medic http://www.iomatic.com/products/product.asp?ProductID=registrymedic
RegVac http://regvac.com/fregvac.htm#download
have you tried all the spyware tools and virus yet ? try them and post back..
check your control panel --> add/remove programs of any unknown program. If you have uninstall them
Also use these registry cleaners
jv16 http://download.com.com/3000-2094-10196668.html?tag=lst-0-1 (FREEWARE)
RegCleaner http://www.vtoy.fi/jv16/shtml/regcleaner.shtml
AATools RegClean http://www.glocksoft.com/aatools_registry_cleaner.htm
Registry Medic http://www.iomatic.com/products/product.asp?ProductID=registrymedic
RegVac http://regvac.com/fregvac.htm#download
ASKER
I tried deleting temporary internet files. Some won't delete.
I did not run %temp%. Please tell me what that should do. I have never seen that before.
The computer hangs when I try to do a disk cleanup.
I did not run %temp%. Please tell me what that should do. I have never seen that before.
The computer hangs when I try to do a disk cleanup.
TimChapman,
> I tried deleting temporary internet files. Some won't delete.
what do you mean by this ?
go to start --> run and typein " %temp% " (without quotes)
it will open the temporary folder where all temp files are stored in your machine
remove all those files ..
Not sure why diskcleanup would hang your machine.. Wait for sometime when you do diskcleanup as there would be many unwanted files to cleanup
restart the machine after doing all these
> I tried deleting temporary internet files. Some won't delete.
what do you mean by this ?
go to start --> run and typein " %temp% " (without quotes)
it will open the temporary folder where all temp files are stored in your machine
remove all those files ..
Not sure why diskcleanup would hang your machine.. Wait for sometime when you do diskcleanup as there would be many unwanted files to cleanup
restart the machine after doing all these
what is the status ?
have you tried all spyware tools , virus scanners etc
remove all those temp files ..
post back
have you tried all spyware tools , virus scanners etc
remove all those temp files ..
post back
ASKER
I have to wait to do those. The computer is at a client's location. He may not want to pay me the hours needed to continue. I emailed him to ask him to let me have the computer at my site so I can work on it without charging him. I would like to get to the bottom of this virus (?). I was very suprised to find nothing about it when I searched google. Looks like something new.
I don't understand the Experts Exchange regarding the Accept button. When I accept a reply, does that mean the sender gets the 500 points?
Thanks for your effort on this. I will try to see this to completion so the points can be given and so that the problem can be solved and the information shared.
Tim
I don't understand the Experts Exchange regarding the Accept button. When I accept a reply, does that mean the sender gets the 500 points?
Thanks for your effort on this. I will try to see this to completion so the points can be given and so that the problem can be solved and the information shared.
Tim
looks like it is a new virus or trojan or spyware
This is how it works
u assign 500 pts or how much ever you can depending on the question
once u click accept , u will be taken to a page where u need to give the grade.
depending on the grade, the expert wud get pts
say if you give A grade, expert would get 500 * 4 = 2k pts
if B grade , 500 * 3
if C grade , 500 * 2
Hope you understand
This is how it works
u assign 500 pts or how much ever you can depending on the question
once u click accept , u will be taken to a page where u need to give the grade.
depending on the grade, the expert wud get pts
say if you give A grade, expert would get 500 * 4 = 2k pts
if B grade , 500 * 3
if C grade , 500 * 2
Hope you understand
Cleaning your computer - and protecting it in the future - can't be answered with one issue.
As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.
The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.
It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.
The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.
It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
This is how to find ndhygv.dll and stop it.
1. Start / Run / regedit
2. ENTER
3. CTRL-B
4. ndhygv.dll
5. ENTER
6. If you find it in HKCR/CLSID/{xxxx-xxxx-xxxx
7. If you can find the same {yyyy-yyyy-yyyy} in HKLM/Software/Microsoft/In
How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;240797&sd=tech
1. Start / Run / regedit
2. ENTER
3. CTRL-B
4. ndhygv.dll
5. ENTER
6. If you find it in HKCR/CLSID/{xxxx-xxxx-xxxx
7. If you can find the same {yyyy-yyyy-yyyy} in HKLM/Software/Microsoft/In
How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;240797&sd=tech
Tim Chapman
Use this command to unregister the dll file then delete it,
Change the path to wherever the dll resides.
RegSvr.Exe /u \windows\[controlname] click start then run and enter the command.
Then delete the registry entries for the file.
Use this command to unregister the dll file then delete it,
Change the path to wherever the dll resides.
RegSvr.Exe /u \windows\[controlname] click start then run and enter the command.
Then delete the registry entries for the file.
regsvr32 /u %systemroot%\system32\ndhy
ENTER
regsvr32 /u %systemroot%\system\ndhygv
ENTER
good luck
ENTER
regsvr32 /u %systemroot%\system\ndhygv
ENTER
good luck
> I delete it from startup using msconfig
Did you mean disable it ?
go to startup tab in msconfig and disable all applications. reboot the machine and check if it would appear. If it doesnot appear then enable the applications one by one and check which application might cause that ..
#Sun